[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
group access
Hello Gurus,
I'm trying my first attempt at ACL-s, and seem not to get it working.
My tree is:
dc=boxhill,dc=com
ou=accounts,dc=boxhill,dc=com
uid=xxx,ou=accounts,dc=boxhill,dc=com
uid=yyy,ou=accounts,dc=boxhill,dc=com
uid=zzz,ou=accounts,dc=boxhill,dc=com
I have a group "admindudes" of which user xxx is the only member.
I'm looking for an ACL so that only members of admindudes group can read the
user entries under accounts
I add the entries by:
ldapadd -D "cn=Manger,dc=boxhill,dc=com" -W <data.ldif
That works well, as it says "adding new entry".... for each of the ldif
records.
Now, I try to see if my read access works, by
ldapsearch -L -b "ou=accounts,dc=boxhill,dc=com" -D
"uid=xxx,ou=accounts,dc=boxhill,dc=com" "(cn=*)".
This returns nothing (slapd debug output below)
Please tell me where I'm missing out?
Thanks
Joe Sabu.
Here're my files:
slapd.conf
========
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/slapd.at.conf
include /usr/local/etc/openldap/slapd.oc.conf
schemacheck off
#referral ldap://ldap.itd.umich.edu
pidfile /usr/local/var/slapd.pid
argsfile /usr/local/var/slapd.args
#######################################################################
# ldbm database definitions
#######################################################################
database ldbm
suffix "dc=boxhill, dc=com"
rootdn "cn=Manager, dc=boxhill, dc=com"
directory /usr/tmp
rootpw {crypt}UhfanGxIMzepM
access to dn="(.*),ou=(.*),dc=boxhill,dc=com"
by group="cn=admindudes,ou=$2,dc=boxhill,dc=com" read
by * none
data.ldif
=======
dn: dc=boxhill, dc=com
dc: boxhill
o: My Company
objectclass: organization
objectclass: dcObject
dn: cn=Manager, dc=boxhill, dc=com
cn: Manager
sn: Manager
objectclass: person
dn: ou=accounts,dc=boxhill,dc=com
objectclass: top
objectclass: organizationalUnit
ou: accounts
dn: cn=admindudes,ou=accounts,dc=boxhill,dc=com
objectclass: top
objectclass: groupOfNames
cn: admindudes
member: uid=xxx,ou=accounts,dc=boxhill,dc=com
dn: uid=xxx,ou=accounts,dc=boxhill,dc=com
objectclass:Person
uid: xxx
cn: Joe
sn: Sabu
dn: uid=yyy,ou=accounts,dc=boxhill,dc=com
objectclass:Person
uid: yyy
cn: Jason
sn: Dude
dn: uid=zzz,ou=accounts,dc=boxhill,dc=com
objectclass:Person
uid: zzz
cn: Sergey
sn: Stud
The debug output of slapd is:
=> access_allowed: entry (ou=accounts,dc=boxhill,dc=com) attr (cn)
=> acl_get: entry (ou=accounts,dc=boxhill,dc=com) attr (cn)
<= acl_get: no match
=> acl_access_allowed: search access to entry
"ou=accounts,dc=boxhill,dc=com"
=> acl_access_allowed: search access to value "any" by ""
<= acl_access_allowed: granted by default (no matching to)
listening for connections on 3, activity on: 5r
before select active_threads 1
=> access_allowed: exit (ou=accounts,dc=boxhill,dc=com) attr (cn)
=> access_allowed: entry (cn=admindudes,ou=accounts,dc=boxhill,dc=com) attr
(cn)
=> acl_get: entry (cn=admindudes,ou=accounts,dc=boxhill,dc=com) attr (cn)
<= acl_get: [1] backend acl cn=admindudes,ou=accounts,dc=boxhill,dc=com
attr: cn
=> acl_access_allowed: search access to entry
"cn=admindudes,ou=accounts,dc=boxhill,dc=com"
=> acl_access_allowed: search access to value "any" by ""
<= ldbm_back_group: "" not in "CN=ADMINDUDES,OU=ACCOUNTS,DC=BOXHILL,DC=COM":
member
<= acl_access_allowed: matched by clause #2 access denied
=> access_allowed: exit (cn=admindudes,ou=accounts,dc=boxhill,dc=com) attr
(cn)
=> access_allowed: entry (uid=xxx,ou=accounts,dc=boxhill,dc=com) attr (cn)
=> acl_get: entry (uid=xxx,ou=accounts,dc=boxhill,dc=com) attr (cn)
<= acl_get: [1] backend acl uid=xxx,ou=accounts,dc=boxhill,dc=com attr: cn
=> acl_access_allowed: search access to entry
"uid=xxx,ou=accounts,dc=boxhill,dc=com"
=> acl_access_allowed: search access to value "any" by ""
<= ldbm_back_group: "" not in "CN=ADMINDUDES,OU=ACCOUNTS,DC=BOXHILL,DC=COM":
member
<= acl_access_allowed: matched by clause #2 access denied
=> access_allowed: exit (uid=xxx,ou=accounts,dc=boxhill,dc=com) attr (cn)
=> access_allowed: entry (uid=yyy,ou=accounts,dc=boxhill,dc=com) attr (cn)
=> acl_get: entry (uid=yyy,ou=accounts,dc=boxhill,dc=com) attr (cn)
<= acl_get: [1] backend acl uid=yyy,ou=accounts,dc=boxhill,dc=com attr: cn
=> acl_access_allowed: search access to entry
"uid=yyy,ou=accounts,dc=boxhill,dc=com"
=> acl_access_allowed: search access to value "any" by ""
<= ldbm_back_group: "" not in "CN=ADMINDUDES,OU=ACCOUNTS,DC=BOXHILL,DC=COM":
member
<= acl_access_allowed: matched by clause #2 access denied
=> access_allowed: exit (uid=yyy,ou=accounts,dc=boxhill,dc=com) attr (cn)
=> access_allowed: entry (uid=zzz,ou=accounts,dc=boxhill,dc=com) attr (cn)
=> acl_get: entry (uid=zzz,ou=accounts,dc=boxhill,dc=com) attr (cn)
<= acl_get: [1] backend acl uid=zzz,ou=accounts,dc=boxhill,dc=com attr: cn
=> acl_access_allowed: search access to entry
"uid=zzz,ou=accounts,dc=boxhill,dc=com"
=> acl_access_allowed: search access to value "any" by ""
<= ldbm_back_group: "" not in "CN=ADMINDUDES,OU=ACCOUNTS,DC=BOXHILL,DC=COM":
member
<= acl_access_allowed: matched by clause #2 access denied
=> access_allowed: exit (uid=zzz,ou=accounts,dc=boxhill,dc=com) attr (cn)